ransomware. who esle is worried, and do any service providers offer useful defense?

[WHS Ict Technician]

I'm worried about ransomware - at the moment because we still haven't re-instated my server room after the fire, so I'm down to a single backup of my own systems, and many of the staff who haven't bothered to come and get their machines adjusted to add cloud backups - so they are now totally exposed.

https://www.reddit.com/r/sysadmin/comments/4cku1e/got_the_lol_virus_this_morning/

describes the impact, and raises a couple of protection methods that i'm not seeing on any available service providers:

• adblocking at a DNS level across your org (i was doing this, but can't atm)
• A proxy with content filtering and user-agent anonymity

Google vault is going to be useful for all our cloud data.


what other approaches are there?

It is only a matter of time before we get hit, imo

[Craig Knights]

Can you write up your concerns about lazy staff and take it to the school management?  Make them crack the whip?

ta

CJK

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[WHS Ict Technician]

On Thursday, March 31, 2016 at 11:33:48 AM UTC+13, craig.knights wrote:

Can you write up your concerns about lazy staff and take it to the school management?  Make them crack the whip?

I'm looking for technical solutions on here!  Policy and compliance is one thing, but i'd prefer to have systems in place that mitigate against user behaviors. That's why i'm in IT and not in management.

Is anyone using sonicwall? They seem to be the only outfit that can block HTTP/s tunneled VPNs, and from what i've read they are proactive against ransomware (in the initial connect to home phase of infection)

[Keith Craig]

Content Keeper also can do https decryption and has malware detection. To catch all VPNs you really need to run full decryption at the gateway, which is another discussion.

Keith Craig BCom PGDipBus(IS) CNE
Systems Administrator 

Phone +64 9 5231060 x843 Mobile +64 (0) 21541549

[Alistair Baird]

We use ESET on all our machines, and I have see it kill a few cryptovirus attachments in the logs. Funnily enough, users haven't told me about it though!

--

You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

Alistair Baird

IT Manager

St Peters College 

p 06 354 4198

m 021 990 259

e bai...@stpeterspn.school.nz

[Tracy Briscoe]

We had an incident recently were a user got hit after going to the compromised website of a local business. Neither Symantec EndPoint Protection, nor the AV scanning on our FortiGate firewall (which is only allowing specified protocols, and is doing DPI-SSL) intercepted it. Thankfully not too much was encrypted and we were able to recover quickly from backups.

As an immediate step we have now implemented a black list on all school computers, blocking programs from running from %appdata%. This stops programs running from the likes of %temp% and Temporary Internet files.
We are looking at running a white list where only programs in %windir%, %ProgramFiles%, and %ProgramFiles(x86)%, and a few other locations are allowed to run.

The main problems we’ve hit with the black list are:
* That installers often unpack to %temp% and hence won't work - this can be solved by not applying the policy to administrators - assuming your users don't have admin rights.
* If users have installed Chrome it won't run as it installs itself into %appdata%. The work around for this is to whitelist chrome.
* Exchange Powershell won't work as it copies to and runs from %temp%. The workaround for this is to have user accounts that are only used on severs which are except from the policy.

Another solution which is used by a local IT company is to use 'File Screening Management' on the fileserver to report whenever a file of a certain extension is created. The file screen is then loaded with the list of known extensions used by ransomware. This method is by no means fool proof, first you have to find and maintain a list of extensions used by ransomware, second some ransomware (like the one we saw) used a common file extension (.mp3) for the encrypted files, and of course once you start seeing encrypted files appearing, you are already loosing data.

Regards,
Tracy

From: techies-f...@googlegroups.com [mailto:techies-f...@googlegroups.com] On Behalf Of WHS Ict Technician
Sent: Thursday, 31 March 2016 11:43 a.m.
To: Techies for schools <techies-f...@googlegroups.com>
Subject: Re: [techies-for-schools] ransomware. who esle is worried, and do any service providers offer useful defense?

--
You received this message because you are subscribed to the Google Groups "Techies for schools" group.
To unsubscribe from this group and stop receiving emails from it, send an email to techies-for-sch...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Note: This communication may contain privileged and confidential information intended only for the addressee named above. Any views or opinions presented are solely those of the author. If you have received this message in error, we request you delete the message and notify the sender. Please do not distribute, copy or disclose any information. This e-mail has been scanned for viruses but all liability for viruses or similar in any attachment or message is excluded.

St Peter's School, Cambridge, New Zealand
Telephone: 647 827 9899 Fax: 647 827 9812
Website: www.stpeters.school.nz<http://www.stpeters.school.nz/>

Please consider the environment before printing this email

[Terence Fleming]

A couple of things to think about:

Make sure that the devices over which you have no control (e.g. all those BYOD devices) are treated as Untrusted, and that you are leveraging the firewalls in your Access Points to keep BYOD traffic away from sensitive assets (e.g. servers).  Keep them on a different VLAN as well if you can, but do not rely on a VLAN alone for security and traffic separation.

Lock down as best you can your Trusted devices (the ones over which you have control).

Install end point protection and make sure it is on all the time.   We use (and sell, declaration of interest here!) Webroot, which does not "get in the way" of normal operations as much as some other tools we have tried.  

Maintain backups of anything you care about.  The article talks about Datto, which is really good if you need to make onsite backups of large volumes of data: if you are talking about small data volumes then there are plenty of cloud based alternatives.

[flow in]

Maintain backups of anything you care about.  The article talks about Datto, which is really good if you need to make onsite backups of large volumes of data: if you are talking about small data volumes then there are plenty of cloud based alternatives.

All great points. I've had most of them in place but i'm still concerned. Does SEP catch the crypto variants before they start operating? I guess to an extent i'm hoping that other people see the flaws in the n4l offering (and in my case, my meraki security appliance) and start clamouring for more proactive firewalls/filtering. I'd be happier if the seriousness of the problem is dealt with before one of us suffers extensive loss. Most of us on here are proactive and skilled. There's lots of schools that are not so lucky, so surely the school ISP should be on top of this?

Deep backups seem the most effective protection. Do you know of Datto suppliers in NZ?

Is there an opportunity for a distributed school based cloud backup system, leveraging n4l links to share data across server racks? There's an issue with domiciling of data that means the global cloud is not necessarily OK to use to (depending on interpretation of legislation)

[Tracy Briscoe]

> Does SEP catch the crypto variants before they start operating?

Short answer maybe, maybe not.

Antivirus software (including SEP) can work in a couple of ways.
1) having a list of signatures which identify known malware.
2) use heuristics to try and detect unknown malware.

So in the case of 1, the antivirus software should stop the malware from running, but as it only detects known malware, then anything new is not detected.
With case 2 it is possible that the program is running before the antivirus detects 'bad' behaviour.


> start clamouring for more proactive firewalls/filtering. ... so surely the school ISP should be on top of this?
No filtering - except block everything - will be 100% effective.
Firewalls can use signatures to halt the download of (some) known malware, but cannot stop all unknown malware. I say 'some' as malware can have the 'bad' part of its code encrypted, so that it can't be detected without decrypting that part of the code.
To expect the firewall to analyse the intent of code before letting it though is not feasible, and would probably end up hitting the equivalent of the Halting Problem (https://en.wikipedia.org/wiki/Halting_problem).

Regards,
Tracy

[flow in]

not 100%, but some manufacturers are making a dent: https://support.software.dell.com/kb/sw12434

There are distinct phases to an infection, and stopping the home dialling appears to stop many. I agree that the non-signature, non heuristic, analysis of code by a firewall is not feasible.
Why are we letting our filtering providers get away with excuses? sonicwall stops those http/s tunneled vpns too, by being smart about it.